cPanel have recently reported a critical EXIM vulnerability: CVE-2019-10149. So, we’re getting you up to speed on what this means for you and how you can protect yourself against this threat.
The vulnerability is an exploit in Exim versions 4.87 to 4.91, which allows attackers to remotely execute commands as the root user.
Firstly, if you’re on version 80 in Web Host Manager (WHM) then no further action is needed as the vulnerability does not affect this newer version.
For versions 78, 76 and 70, cPanel have released updates so you need to check if your version has been patched. To do so, you can run the command rpm -q exim on your server via SSH.
If you see something like below, or if you see Exim version 4.92+, then you’re patched:
For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64
For Version 70 and 76: exim-4.91-4.cp1170.x86_64
Although cPanel have patched this on versions 76 and 70, these are end of life and it has been confirmed that no further updates will be released. So for best practice, and to ensure you can patch your systems in the future, upgrade to the latest version now.
If you’re still using Easy Apache 3, this will prevent you from upgrading to version 76 and above. First, you need to migrate to Easy Apache 4.
You can see if you’re on Easy Apache 3 by logging into your WHM panel. You will see a similar notice to the one below.
As Easy Apache 4 only supports PHP 5.4+ and Apache 2.4, you need to ensure that your sites are compatible. Since everything below PHP 7.2 is end of life, or in maintenance, they should be compatible. But you can check using these links:
Once you’ve checked compatibility, we recommend you save your current Easy Apache3 profile before migrating from Easy Apache3 to 4 using the Easy Apache 4 migration tool in WHM. Once the migration from Easy Apache3 to 4 is complete, then you can upgrade your WHM version.
You may get an error at this stage saying the upgrade is blocked. You will need to edit your /etc/cpupdate.conf to, for example:
Once you have completed this update (upcp), set this back to the following:
Part of this vulnerability means some people have been infected with a Crypto coinminer. In order to check and protect yourself against this threat, please see below recommendations:
If you’re concerned your server may be compromised, you may need to carry out a compromise investigation by arranging this through your account manager or seeking help from an external cybersecurity organisation.
If you need any more guidance on how to update, please don’t hesitate to contact the UKFast support team on 0800 923 0605 – we’re here to help!
We provide the highest level of customer support in our industry, meaning you won’t find a provider with the same level of support anywhere else.